Continental Casualty (CNA) Data Breach 2026: 6,086 Illinois Policyholders Exposed. Separate From 2021 Phoenix CryptoLocker. What To Do
Continental Casualty Company (CNA), the insurance subsidiary of CNA Financial Corp., disclosed an October 2024 intrusion of external systems (discovered January 2025) affecting 6,086 individuals in Illinois. Distinct from the 2021 Phoenix CryptoLocker ransomware. 12 months Epiq identity-monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 21, 2024
Unauthorized access to CNA external systems
Jan 13, 2025
CNA discovers the intrusion (~12-week dwell time)
Apr 1, 2025
Individual notification letters sent Q1-Q2 2025
Jan 15, 2026
HHS OCR portal posting (Illinois, 6,086 affected)
Oct 21, 2024
Unauthorized access to CNA external systems
Jan 13, 2025
CNA discovers the intrusion (~12-week dwell time)
Apr 1, 2025
Individual notification letters sent Q1-Q2 2025
Jan 15, 2026
HHS OCR portal posting (Illinois, 6,086 affected)
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Continental Casualty Company (CNA) is the insurance subsidiary of CNA Financial Corp., headquartered at 151 N. Franklin Street in Chicago, Illinois. CNA’s portfolio includes long-term care insurance, group benefits, and professional liability — lines that bring CNA under HIPAA as a covered entity / business associate.
On October 21, 2024, an unauthorized actor accessed CNA’s external systems. CNA discovered the intrusion on January 13, 2025 — a roughly 12-week dwell time. Individual notification letters were mailed in Q1-Q2 2025. The HHS OCR breach portal lists 6,086 affected individuals in Illinois under a 2026 filing.
This incident is separate from the 2021 Phoenix CryptoLocker ransomware attack that hit CNA Financial directly (reportedly settled with a ~$40M ransom payment, ~75,000 individuals affected). The 2021 event was a network-encryption ransomware compromise; the 2024-2025 incident is a distinct intrusion of “external systems.”
No threat actor has publicly claimed responsibility. No ransomware leak-site listing has been observed.
Separately, the New York Department of Financial Services issued a Consent Order to CNA Insurance Group on December 22, 2024 for cybersecurity-regulation compliance issues — that order relates to earlier compliance posture, not specifically to this 2024-2025 breach.
What was stolen
Public notification letters describe the incident as “Notice of Data Breach” but specific data-element enumerations are not exposed in publicly indexed copies. Based on CNA’s portfolio (long-term care, group benefits, professional liability), the exposure likely includes:
- Full name
- Social Security number (likely)
- Policy / health-benefit information
OCR’s classification of this filing as a HIPAA breach implies PHI was involved.
What CNA is offering
- 12 months of complimentary identity-monitoring service through Epiq
What to do
- Enroll in Epiq monitoring through the activation code in your letter.
- Place free credit freezes at all three bureaus.
- File IRS Form 14039 if your SSN was in scope.
- Read your specific notification letter to confirm what data elements were involved in your case — public disclosures are sparse for this incident.
- Stop the ongoing flow of your insurance-data PHI. HealthConsent files HIPAA restriction requests covering long-term-care and group-benefit insurance data flows.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Srourian Law: CNA Investigation
- My Injury Attorney: CNA Investigation
- Bloomberg Law: CNA Suit
- NY DFS Consent Order (CNA, Dec 2024)
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.